geth-sgx-gramine remote attestation flow

[sbellem]

Te goal of this issue is to properly understand the remote attestation flow in geth-sgx-gramine.

See https://github.com/flashbots/geth-sgx-gramine#how-does-the-attestation-work for an introduction.

geth-sgx-gramine leverages gramine's ra-tls interface, documented in https://gramine.readthedocs.io/en/stable/attestation.html#mid-level-ra-tls-interface. A minimal example is provided by gramine at https://github.com/gramineproject/gramine/tree/master/CI-Examples/ra-tls-mbedtls.

It's important to note that gramine's ra-tls flow supports both EPID and ECDSA-based attestations. However, as per their documentation, geth-sgx-gramine only supports DCAP (ECDSA). It seems that it's possible to support EPID as well though by making small modifications to geth-sgx-gramine/attest.c (@njeans did this work).

For both EPID and DCAP, communication with a trusted entity is necessary to verify the SGX quote. In the case of EPID it's IAS (Intel Attestation Service), and in the case of DCAP, it's some attestation infrastructure, like PCCS.

If we are using EPID, we can just keep on using IAS, which we know how.

If we are to use DCAP, then we could use PCCS. We currently know how to run a PCCS server, in a docker container, such that it could be integrated with our docker based setup. A more thorough understanding of the overall flow is necessary.

Links

• Gramine RA-TLS Minimal Example
• Flashbots geth-sgx-gramine docs
• Flashbots geth-sgx-gramine attest tool
• Intel PCCS docs
• PCCS Dockerfile
• QuoteGeneration Sample to test PCCS